Monday, December 23, 2013

OWASP Media Project after AppSecUSA 2013

At last AppSecUSA, OWASP Media Project has put 43 videos online for 32 hours for the talks, and also 6 videos from the Project Summit for 2.5 hours of content. All of that was online live for the summit and less than 24 hours after for the first talks, then the rest was published in one week just after the conference.

Now for some stats, covering from November 17th 2013 to December 19th 2013.

We are at 11,289 views and 79,874 of estimated watched minutes.

Let me remind you that before that, we where at 245 views for 1,312 minutes, mainly from the OWASP Global Meetup live hangouts.

As for the subscribers, we are at 438 and we gained 442 of them with AppSecUSA efforts. We lost 4 hence the numbers.

The average view duration is 7:04 minutes, so 16% of the total times of videos. Since we have mostly one hour long videos, this is normal and in fact is probably a great number for YouTube.

Notables popular videos are:
OWASP Zed Attack Proxy - Simon Bennetts
2,126 views 17,712 minutes watched 8:19 avg

Top Ten Proactive Controls - Jim Manico
845 views 8,293 minutes watched 9:48 avg

What You Didn't Know About XML External Entities Attacks - Timothy Morgan
790 views 5,857 minutes wathced 7:24 avg

Finally, the countries with the top viewership:
United States37%
Canada 12%
United Kingdom4.0%

I must point out that we were watched in 114 countries in total. That's amazing and shows the power of OWASP worldwide.

With that big first step done, we will continue with our Roadmap and the next thing on the table is to present a Webinar on how to use Google Hangout with live YouTube streaming. We will also shake things with the Chapters by inciting them to use Hangout and YouTube in order to get more into the Global Chapter Meetings Project. This has great potential but is not really used right now for helping smaller chapters to get contents.

And and last, but not least, we are officially on the home page and we can control what is shown without having to edit the Wiki.

One thing that is sure, is that we need more people in OWASP Media project. The good news is, unlike most other OWASP projects, you don't need to be an application security specialist to be really useful, you just need to be motivated to share knowledge with the world. If you want to join us, contact Jonathan Marcil the project leader.

Thanks to all who contributed and helped with OWASP Media Project!

Visit us and subscribe:


Thursday, December 19, 2013

OWASP Annual Report RFP

OWASP Annual Report RFP


The Open Web Application Security Project (OWASP) is planning to develop a new design and formal execution of an online Annual Report.  The report will contain content and highlights to help tell the OWASP story for 2013 and also act as a representative source of financial in membership information for all visitors seeking to learn more about the organization and it’s programs and activities.

Content of the Annual report:

Items and areas to be considered:

  • Mission and purpose
  • Achievement Stories
  • Financial Report (s)
  • Milestones and Highlights
  • Conferences and Outreach
  • Charity Aspects of the Organization
  • Membership and chapters reports
  • Project Reports (releases, summit, awards, content)

All items will include a combination of text and graphics.


Annual Report Book Design
Website Design

Additional Requirements:

Establish and develop an overall theme statement and content outline that unites the online communications of the project with the goals and mission of the organization

OWASP Foundation will provide copy writing, style guide, data, editing, and community graphics

OWASP will own the rights to the website as well as an editable file of the print version


  • Deadline for submissions for quotes is January 15, 2014
  • Project will be awarded January 20, 2014
  • The finished report will be delivered by February 28, 2014

Submit your quote along with 3 examples of a similar project completed to

ESAPI Hackathon / Bug Bash Contest

Our very own OWASP ESAPI Project Leaders, Chris Schmidt and Kevin Wall, are hosting the OWASP ESAPI Hackathon starting on Friday, December 20th 2013 and ending on Monday, January 20th 2014. The aim of the ESAPI Hackathon is to encourage contributors to Implement modular security controls, fix existing bugs, provide reference implementations, and improve user documentation. 

Each participant will be evaluated by four judges, and prizes will be awarded to those who provide the most valuable contribution to the project. Here are the list of prizes:

First place: Apple iPad Mini and an ESAPI T-shirt

Second place: $30.00 (USD) Amazon Gift Card and an ESAPI T-shirt

Third place: $20.00 (USD) Amazon Gift Card and an ESAPI T-shirt

Fourth place: An ESAPI T-shirt

We encourage all those who can participate to contribute to the OWASP ESAPI Project. Please view the contributing guidelines wiki page for more detailed information on participant expectations. If you still require more assistance, please contact either, Kevin Wall ( or Chris Schmidt (

Download a pdf version of the guidelines here. 

Friday, December 13, 2013

OWASP Global Connector

OWASP Global Connector
December 13, 2013 | | | Contact Us | Brought to you by the OWASP Foundation
owasp projects

Featured OWASP Project

OWASP Application Security Guide For CISOs Project
Among application security stakeholders, Chief Information Security Officers (CISOs manage application security programs according to their own roles, responsibilities, perspectives and needs. Application security best practices and OWASP resources are referenced throughout the guide.

New OWASP Projects

OWASP Security Labeling System Project
The purpose of this project is creating a transnational and market wise software security labeling system. Security is invisible, so the OWASP labeling system will help to make it visible. The system consists of different kinds of OWASP security labels for Web applications and Software.

OWASP Financial Information Exchange Security Project
This project focuses on the FIX protocol with the aim of developing a java client to be used during security assessments of custom FIX implementations. The project will also produce best practice guidance for FIX protocol security. More to come soon ...

OWASP Reverse Engineering and Code Modification Prevention Project
The purpose of this project is to educate application security experts about the risks and appropriate mitigation techniques that organizations should implement to prevent an adversary from reverse engineering or modifying the developer's code within untrustworthy environments. More to come soon ...

Project Announcements

OWASP Code Review Guide Project
Message from Project Leader,Larry Conklin.
I am in need of authors to sign up to finish some chapters of the Code Review Guide V 2.0. I am hoping we can get twelve articles done by the first of the year.

Authors, if you want to write other content, please do so. We have a lot of work already completed. We need to finish this book. Please do not sign up for more than one article at a time. You can do more than one article, but lets concentrate on one thing at a time.
Remember - write in the wiki, write often, HAVE FUN.

For a comprehensive list of the sections needing an author, visit the Project Blog Post

Thank you to Dropbox, our newest Corporate Member


AppSec USA 2013 Conference Presentations are now available

Presentation Videos Available Here
Presentations (ppt and pdf) are available here

Global AppSec Events in 2014

AppSec APAC 2014 (March 17 - 20, Tokyo Japan) Call for papers/training open until December 15
AppSec LATAM 2014 - LATAM Tour (April 21 - May 12)
AppSec EU 2014 (June 23 - 26, Cambridge, UK)
AppSec USA 2014 (September 16 - 19, Denver, CO)

Upcoming Regional Events

AppSec California 2014 (January 27 - 28, Santa Monica, CA)
LASCON 2014 (October 21 - 24, Austin, TX)

Partner and Promotional Events

OWASP has partnered with these great events in beginning of 2014 to grow our community and build awareness around software security. If you want to learn more about OWASP's involvement or will be attending and want to help out contact us

Nullcon (February 12 - 15, Goa, India)
Security, Management, Audit Forum 2014 (February 19 - 20, Poland)

Support the OWASP Foundation while finishing your Holiday Shopping

The OWASP Foundation is enrolled with Amazon Smile. When you shop at Amazon by clicking the logo below, OWASP will receive 0.5% in donations.
Thank you for your continued support!
Amazon Smile

Got Questions?

The OWASP Foundation is a community of security professionals. Tap into the collective knowledge by submitting your security questions to the Security 101 mailing list. Subscribe to the list
webinar globe


The Cavalry Is US: Protecting the Public Good - Nicholas Percoco and Joshua Corman
(Recorded at AppSec USA 2013 in New York, NY)
This session will both frame the plans to engage in Legislative, Judicial, Professional, and Media (hearts & minds) channels and to organize and initiate our constitutional congress working sessions. The time is now. It will not be easy, but it is necessary, and we are up for the challenge.

December 18, 2013 at 10am EDT
Register Here
December 18, 2013 at 9pm EDT
Register Here
Links to the recordings of previous meetings can be found on the Initiatives Page
The Board of Directors have recently approved three new OWASP Project related policy and guideline documents. They outline the rules of engagement for grant spending, project spending, and project sponsorship.

The Grant Funding and Spending Policy lists the ways in which grant awarded funds are to be managed and spent.

The Project Spending Policy outlines how project junks can be spent, and what appropriate project expenses are.

The Project Sponsorship Operational Guidelines aims to provide clear expectations of how sponsors and projects are expected to interact when sponsorship funds are given to a project.
To view the documents, please click on the corresponding link.
Social Media

OWASP Foundation Social Media

Google +

Thursday, December 12, 2013

12 Days of Christmas w/ Hacker Claus

Ok builders, breakers and defenders.... gather around the FIREwire and sing with me;

On the 1st day of Christmas a malicious hacker faxed to Johnny <pause> poof of SQLi in his production website (database using SELECT * FROM members WHERE username = 'admin'--' AND password = 'password') with a username list

On the 2nd of Christmas the hackers gave to Johnny Cross Site Scripting vuln in his high risk web application <IMG SRC="javascript:alert('XSS');"> that his automated scanner missed and a link to OWASP Cheat Sheets and Core Rule Set  suggestions for monitoring and potentially blocking the input, output, or system service calls. 

On the 3rd day of Christmas the hackers gave to Johnny Insecure Direct Object Reference on a critical system that provided full admin access to the application because....  Johnny made a mistake and forget to add a rule to deny any to a obscure management port

On the 4th day of Christmas the hackers gave to Johnny.... A FREE .PDF Book on how to find application security flaws and the NEW video series from AppSecUSA 2013 (43) Videos and 32 hrs of content

On the 5th day of Christmas the malicious hackers parked in front of Johnnies favorite coffee shop and conducted a man-in-the-middle hot-spot honeypot -- then proved to Johnny that "Password1" is not a good password and how quickly a hash can be cracked

On the 6th day of Christmas the hackers gave to Johnny code snips of critical system code on the new secret internal project that they picked up from PasteBin

On the 7th day of Christmas a hacker breached Johnnies door using a "9999" cut bump key on door #1, a shim on the padlock that secured important information and placed a "boom" sign inside my top right desk draw that was locked to prove a point about my lame physical security... --- seems they also drank his 18 year old scotch too!

On the 8th day of Christmas the hackers returned to Johnny a bag of dumpster diving treasure to point out lack of cross-cut shreder  that included bills from trusted vendors with account info, credit card carbons, internal printed emails, customer data and more...

On the 9th day of Christmas hackers hacked Johnny via an email aimed at his wife concerning a refund of a holiday purchase with targeted malware using a custom packer that bypassed my installed and updated corporate AV investment.  After getting a remote shell they then popped Johnnies work laptop that was also connected to my home network that was unpatched due to the holiday freeze then exported the cert on the VPN client installed a keystroke logger on the computer that I use for business to capture the password....  ouch..

On the 10th day of Christmas the hackers gave to Johnnie a FREE audio blog to help educate him

On the 11th day of Christmas the hackers knocked down my e-commerce website during the busy online shopping season with a Denial of Service Tool 

On the 12th day of Christmas hackers mailed a link... Johnny noticed his company was on the list of incidents involving the breach of personally identifying information (PII) and his information may have been in a dump of over 2M users due to his machine was infected with malware from Day #1

...... as a result he reached out to the LOCAL OWASP Chapter and started to ask questions, review the OWASP Foundation website and intresting projects including the  Enterprise Security API (ESAPI), Free Videos, Guidance on Mobile Security, Jobs Postings from around the world and over 100+ other projects:

May all your Christmases be 

Labels: , , , , , ,

Monday, December 9, 2013

Code Review Guide Project: Message from Project Leader Larry Conklin

I am need for authors to sign up for the following….
  1. Manual Review - Pros and Cons (
  2. 360 Review: Coupling source code review and Testing / Hybrid Reviews (
  3. Code Review Approach ( I am not sure about this subject. It seems to me it would be covered in the above section under Code Review Introduction.
  4. Application Threat Modeling ( Update this section. I am going to take this one.
  5. Understanding Code layout/Design/Architecture (
  6. SDLC Integration ( Update this section
  7. Secure Deployment Configuration (
  8. Metrics and Code Review ( Update this section
  9. Source and sink reviews (
  10. Code Review Coverage ( Update this section
  11. Risk based approach to Code Review (  I am not sure about this subject. It seems to me it would be covered in the above section under Coder Review Introduction.
  12. Code Review and Compliance (  Update this section
I am hoping we can get these twelve articles done by the first of the year. Hey its christmas time of the year for some of us so 12 articles and 12 days of christmas kinda go together. :-) 

Authors if you want to write other content please do so. We have a lot of work already completed In trying to get the holes filled in for the for the first two sections this way we can get reviewers to begging on the first two sections and make some changes to the structure of the content so it is more in book form. 

I have taken off names of authors who have not contributed any work. If your name was talked off and you wish to contribute to this project you can. You have not been kicked off the project. I need to make sure content gets created and we have great technical content. Your name hanging out there with no contribution may discourage another author in helping with the subject.  

All, We need to finish this book. Please do not sign up for more then one article at a time. You can do more than one article but lets concentrate on one thing at a time.

Remember…Write in the Wiki, Write often, Have fun.

Larry Conklin, CISSP

Tuesday, November 26, 2013

OWASP Global Connector November 26, 2013

Global OWASP Connector - November 26, 2013

2013 Project Summit

I just wanted to take some time to thank all of the OWASP Project Leaders that participated in last week's project talks, and the OWASP Project Summit at AppSec USA in New York.  Both activities were great successes.  They could not have been as terrific without your hard work, dedication, and contributions.  I hope to see you again next year! Samantha Groves 

Project Announcements

OWASP Media Project

Jonathan Marcil, project leader, was at AppSec USA this past week recording our attending Project Leader's presentations during the Summit.  We now have an excellent collection of talks on our OWASP YouTube channel.  If you want to watch, please visit our official You Tube channel 


Thank you to our Newest Corporate Member

Micro Trend

Thank you to our Renewed Corporate Members

Best Buy

Proposed Change to Corporate Membership Model

Comment Period Open

The board voted to move to a tiered corporate membership model.  This enables organizations to support OWASP at a variety of levels.  We are still working on the details of the updated membership matrix.  We are seeking the input and feed back from current and potential corporate supporters on the proposed model.

Please take a few minutes to review the proposal and provide us with your feedback.  You can email us at

New Membership Model Proposal

appsec-horizontal-logo 3

Thank EVERYONE who helped out with the OWASP Foundation AppSec USA 2013 event.  In total we raised over $250,000.00 for OWASP Foundation and just a few media hits that mention the event inline with our mission of raising awareness.  The videos will be online line here:  Global OWASP YouTube Channel.

2014 Global Conference Schedule:  

AppSec APAC 2014 - March 17-20, Tokyo, Japan  CALL FOR PAPERS/TRAINING IS NOW OPEN
AppSec EU - June 23-26, Cambridge, UK
AppSec USA - September 16-19, Denver, CO

Local and Regional Events

OWASP BeNeLux - Nov 28-Nov 29, Netherlands

AppSec California 2014 - Jan 27-Jan 28, Santa Monica, CA 

Partner and Promotional Events

OWASP has partnered with these great events in the latter half of 2013 to grow our community and build awareness around software security.  If you want to learn more about OWASP's involvement or will be attending and ant to help out contact us

Atak i Obrona (attack & Defense) 2013 - Poland, November 26

Cloud Security Alliance Congress 2013 - Orlando, FL, December 4-5 - OWASP Members receive a 10% discount by using discount code:  CSA13/OWASP

Winter Hacker Festival 2013 presented by HackMiami - Miami, Fl, December 5-7

Nullcon - Goa, India, Feb 12-15, 2014  Call for papers is open.  Submit here

Security Management Audit Forum 2014, Poland, February 19-20
Congratulations to the 2014 Foundation Board of Directors

Board Chair
Michael Coates

Vice Chair
Tom Brennan

Josh Sokol - NEW

Tobias Gondrom - NEW

Members at Large
Fabio Cerullo - NEW
Eoin Keary
Jim Manico

Also, many thanks to Sebastien Deleersnyder and Dave Wichers for their many years of service on the OWASP board.  While their involvement on the board will be coming to a close at the end of 2013, we fully expect we will continue seeing them at many AppSec and other OWASP events.

More information on the election and the candidates can be found on


globe 2

Global Webinar Series

December 4th
Abbas Naderi
PHP Security Project

Abbas will walk us through the PHP framework and demonstrate proper usage of the tools and libraries.

10am EST - LIVE

smaller register

9pm EST - Recorded Session

smaller register 3

Updated OWASP Brand Resources

OA comprehensive library of OWASP images, logos, avatars, and other marketing resources - as well as the research used to create these new logos - is now available on the wiki.  Please use these images and brand guidelines when editing and creating content on behalf of OWASP.



Monday, November 25, 2013

AppSec APAC 2014. Call for papers and training open until December 15, 2013

 AppSecAPAC 2014.JPG

The OWASP Japan Chapter is accepting papers and training submissions for AppSec APAC 2014March 17-20, Tokyo.

We're accepting sessions in the following topics:
  • Security aspects of new web technologies (HTML5, CSP, etc.)
  • New Attack and Defense
  • Mobile security
  • Cloud security
  • SDL
  • Automated security testing
  • Security awareness and education
  • Threat modeling
  • Secure coding and code review
  • OWASP Projects
  • Case Studies
  • Legacy system and maintenance
    If you want to present a session in Tokyo, now is the time to send an e-mail to the selection committee at providing them with:
    • Title of your presentation or training session.
    • Presentation type (talk or training).
    • Language: Please note that all proposals and presentations must be in English or Japanese.
    • Short description: A summary of the main idea of your proposal. Absolute limit of 30 words.
    • Abstract: A concise description of the purpose, methods, and implications of your presentation. Length 150-200 words.
    • Previous speaking experience (or references).
    • Your bio.
    • Your e-mail.
    Important Dates
    * The call for papers and training ends December 15, 2013 at 11:59PM JST.
    * Notification of acceptance: January 5, 2014
    For more information please visit AppSec APAC 2014 Call for Papers and Trainings.

    We are looking forward to seeing you in Tokyo!

    AppSecUSA 2013 Wrap Up

    I wanted to take a moment to thank EVERYONE who helped out with the OWASP Foundation AppSecUSA 2013 event.

    In total we raised over $250,000.00 for OWASP Foundation and below I have included just a few media hits that mention the event inline with our mission of raising awareness.  If you have additional items that I missed, please add them in the comments.

    A FAQ has been the videos - we have them coming online here:

    Semper Fi,

    Tom Brennan

    AppSec USA Hits:

    Study: Most Application Developers Don't Know Security, But Can Learn
    Dark Reading

    Hack-a-thon Finds 220 Bugs in Facebook, Google, Etsy

    How Facebook reveals your friends list even when it’s set to private

    Going Back to the Future in the Name of Good Security

    Moving from Do Not Track to Can Not Track

    "Let's Do Security That Matters"

    Information Security: We Still Have a Long Way to Go

    Where Developers are Dropping the Ball – OWASP AppSecUSA
    Information Security Buzz

    If you are running your business on a mobile device you may be putting your customers at risk

    iOS Point-of-Sale Devices Pose Security Risk
    eSecurity Planet

    Wait, wait… don’t pwn me! – Game show on security news
    Trusted Software Alliance

    OWASP Foundation: New York Times CTO; Senior Executives from HP, Oracle, Bloomberg LP Among Confirmed Speakers For AppSec USA
    Dark Reading

    Security: I think we can win

    The perilous future of browser sercurity

    Training developers at appsecusa

    Build but don't break

    HTML 5: Risky Business of Security Tool Chest?

    What could go wrong – thinking differently about security at app sec usa

    Java and Oracle on security at app sec usa

    DevOps and Portfolios

    Accidental Abyss: Data Leakage

    Introduction to the newest addition to OWASP Top 10

    Everything we know about Web security is wrong

    Not All CSRF Defenses are created Equal

    AppSensor at AppSec USA in New York
    Web Security, Usability and Design

    AppSec USA 2013

    Bombshell Tech
    AppSec USA 2013

    AppSec USA, November 18-21, NYC
    Software Developers' Journal

    OWASP Foundation Presents: AppSecUSA 2013
    Gary's Guide

    OWASP AppSec USA 2013
    Government Security News

    OWASP AppSec USA 2013
    Homeland Security Today
    At @appsecusa hearing @joshcorman & @c7five discuss hacking cars, pacemakers & insulin pumps. Scary, sobering stuff.
    Had an eye-opening experience at @appsecusa.
    AppSecUSA Photos and comments from the show floor

    Did we MISS SOMETHING?  Add it to the comments.

    Monday, November 18, 2013

    The Great OWASP Bug Bash of 2013

    OWASPers -

    CALLING ALL SECURITY NINJAS… Whether you’re attending Appsec in person or in spirit, you’re invited to join Bugcrowd and the OWASP team as we unite hackers across the world for the first ever Internet-wide bug bash.
    This collaborative hack-a-thon will feature testers and providers of public bug bounty programs finding bugs in the world’s largest Internet companies! Companies contributing to bounty programs, including Prezi, Facebook, Google and Yandex will be present to meet and greet those responsible for improving global application and internet security. No need to worry about protecting your identity, masks will be provided!
    The Inaugural Wall of Bugz
    , music, drinks, hacking contests, special prizes, the world’s largest gummy bug and more!
    Bug Bounty programs have been getting a lot of press lately, and for good reason. They work. Bugcrowd will be running this event live from 8-12 every night during Appsec USA 2013 and we actively encourage OWASP members around the world to participate.
    Just some of the targets to pick from:
    To participate, join us at the event:
    When: Monday & Tuesday Night 8pm – 11:59pm
    Where: 16th Floor Skylobby
    When: Wednesday Night 8pm – 11:59pm
    Where: 5th Floor Ballroom
    For the global ninjas who wish to participate remotely click this link to play
    Want to participate in Team OWASP and work together to find vulnerabilities with the proceeds benefiting OWASP?

    Here is our disclosure agreement (download)
    Team OWASP - Bug Bounty Program Agreement

    I agree to participate on Team OWASP, and share information amongst the team for purposes of collaborating on finding and disclosing security vulnerabilities in the authorized bug bounty programs listed below.  

    I will respect and follow the guidelines for responsible disclosure set forth by the authorized bug bounty programs. If you have questions about the details of these guidelines, please read the information provided on the links below.

    For example, here are are the first two items on LinkedIn’s responsible disclosure policy:
    I agree that any awarded bounties for vulnerabilities found by Team OWASP, will be paid directly to the OWASP Foundation.

    With mobile app
    Web related apps:
    Open source:

    Name Printed

    _________________________________                   _______________________
    Name Signed Date